Symantec Access Management

Hello,

Scenario:
-------------
Webagent name:  test_agent
Protected URLs:  /application1
                             /application2

We want to protect /application1 at authentication level 10
                         and /application2 at authentication level 5.

Are the below configuration possible for the same webagent: test_agent:

1. If a user tries to access resource /application1, the webagent returns a level 10 SMSESSION cookie.
2. If a user tries to access resource /application2, the webagent returns a level 5 SMSESSION cookie.

Thanks,
Mitesh

Yes this is supported.

Realm-1 : /application-1    --> Protected using AuthScheme-Level-10.

Realm-2 : /application-2    --> Protected using AuthScheme-Level-5.

If it is two different applications, I'd separate them into two different Policy Domains.

PolicyDomain-App1:

test_agent --> AgentGroup-App1 --> Realm-1 : /application-1    --> Protected using AuthScheme-Level-10.

PolicyDomain-App2:

test_agent --> AgentGroup-App2 --> Realm-1 : /application-2    --> Protected using AuthScheme-Level-05.

We hope you are aware of the rule of SSO & User Experience when traversing across realms which has different Authentication levels.

Hubert,

Thank you for your prompt response.

Just to reconfirm, we using only one policy domain.

Can you point me to the Siteminder guide where this is documented - wrt the fact that one webagent can protect resources at different auth levels on the same policy domain ?

Thank you for your help.

Mitesh

Hopefully this helps!

https://support.ca.com/cadocs/0/CA%20SiteMinder%20%20Secure%20Proxy%20Server%20r12%200%20SP3-ENU/Bookshelf_Files/HTML/index.htm?toc.htm?283504.html

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes#AuthenticationSchemes-ProtectionLevels

Now if we are specifically looking for a statement "Single/Same WebAgent protecting two unique resources with their respective realms & auth scheme on different protection level", I doubt we are going find such a statement.

Thank you Hubert.

In our organization, we have a custom authentication scheme levels: 5, 10, 15.

level 0 is for unprotected resources. Level 15 for the highest security resources.

For the current webagent there is only one realm with authentication scheme: level 10 - that is currently protecting /application1

So basically, we will have to add one more realm with level 5 and protect /application2 URI against this new realm.

Is this understanding correct ?

Also I found the below document which has instructions on creating a new realm.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/realms-overview/configure-realms

In summary, we can refer to this documentation to create the new realm at level 5 for the same webagent and protect URI /application2. Please confirm.

Thank you for all your help.

Mitesh

Mitesh

The Protection Level is defined within the Authentication Scheme.

We create the realm (with resource filter i.e. URI to be protected) and associate the Authentication Scheme to the realm. That is how the protection level from the Authentication Scheme gets applied to the Realm.

Thank you Hubert. This helps a lot.